Koozali.org: home of the SME Server

Block spear phishing using spoofed email addresses

Offline bunkobugsy

  • *
  • 274
  • +4/-0
Block spear phishing using spoofed email addresses
« on: October 15, 2020, 12:55:15 PM »
Any pointers on how to deal with these on SME, perhaps a custom SA rule?

Return-Path: <rastine@lelevelio.vilnius.lm.lt>
From: "Valid User <valid.user@domain.tld>" <rastine@lelevelio.vilnius.lm.lt>
Reply-To is missing

SPF: pass, dkim=none, dmarc=pass
Our company and contacts is profiled thoroughly.
Some users keep falling for it no matter what...

Offline bunkobugsy

  • *
  • 274
  • +4/-0
Re: Block spear phishing using spoofed email addresses
« Reply #1 on: October 15, 2020, 01:21:22 PM »
Comparing Return-Path with sender won't do any good.

Finding every email address in From field and comparing them should do the trick.

Any ideeas?

Offline bunkobugsy

  • *
  • 274
  • +4/-0
Re: Block spear phishing using spoofed email addresses
« Reply #2 on: October 15, 2020, 01:51:28 PM »
Actually not every spoofed sender has two email addresses in From line.

Attack comming from distributed botned from allowed countries, Geoip not helping.

Trying:

db configuration setprop qpsmtpd DMARCReject disabled SPFRejectPolicy 2
signal-event email-update

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: Block spear phishing using spoofed email addresses
« Reply #3 on: October 16, 2020, 01:12:30 PM »
It's a tricky problem.

The emails we see most at work are "From" "CFO's Name <rando-email@gmail.com>" - The email address itself is completely valid, and passes all traditional anti-spam systems (SPF, DKIM, DMarc, etc) but the name portion of the email has been modified to match one of our senior staff. 

Usually the email domain is a major provider (gmail, hotmail, yahoo) but sometimes the email has been relayed through someone else's (probably compromised) mail server.  I can't block the major providers.  The compromised servers eventually end up on someone's RBL list, but we've already received the malicious email by that time.

There are spam filter services that claim to identify and block these sorts of emails, but I've never used any.

We could (I suppose) build a template to look for any of our local users' names combined with non-official email addresses and deliver them to 'Junkmail' but then you'd have problems with:
* users' personal emails - in case someone is locked out of their business email
* suppliers and collaborators (much of the spoofed emails we get also look like "frequent supplier's name <rando-email@gmail.com>" or "sister-organization-user's-name <rando-email@gmail.com>"

To truly identify emails like these you would need a system that keeps a record of which email addresses and names get involved in ongoing productive conversations, then do something different with emails that use the same name portion but a different email address.

I took a different tack and signed up for end-user security training from KnowBe4.  Every user is required to take a couple online courses in how to identify fake emails, then, if they get fooled and click on any of the links or attachments in a weekly fake email they win an extra 20 minute online training session in how to identify malicious email messages.  The fake emails are designed to mimic current malicious email techniques, or you can build your own templates.

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: Block spear phishing using spoofed email addresses
« Reply #4 on: October 16, 2020, 01:45:25 PM »
Return-Path: <rastine@lelevelio.vilnius.lm.lt>
From: "Valid User <valid.user@domain.tld>" <rastine@lelevelio.vilnius.lm.lt>

In your example, the sending email is "rastine@lelevelio.vilnius.lm.lt".  An SPF check for that domain shows that it has close to 10,000 IPs configured as valid mail servers according to its SPF records:
Code: [Select]
$ nslookup -type=txt lelevelio.vilnius.lm.lt
lelevelio.vilnius.lm.lt text = "v=spf1 mx include:spf1.vilnius.lm.lt -all"

$ nslookup -type=txt spf1.vilnius.lm.lt
Non-authoritative answer:
spf1.vilnius.lm.lt text = "v=spf1  ip4:193.219.80.0/22 ip4:158.129.128.0/19 a:darzeliai.is.lt a:outmail.is.lt -all"

193.219.80.0/22 (1016 IP addresses)
158.129.128.0/19 (8128 IP addresses)

I suspect this is a pretty large ISP, and that the sending email address is valid as far as the ISP is concerned.

If all or most of your spoofed emails follow the pattern you show, you could try to build a rule to find emails where 'From' contains two '@' signs, or where it contains '@domain.tld.*@'. 

[edit]
from https://cwiki.apache.org/confluence/display/SPAMASSASSIN/WritingRules you might get what you need by putting something like this into /etc/mail/spamassassin/local.cf -

Code: [Select]
header LOCAL_DEMONSTRATION_FROM From =~ /\@domain.tld.*\<.*\@.*\>/i
score LOCAL_DEMONSTRATION_FROM 0.1

[caveat] I have never done this myself...
« Last Edit: October 16, 2020, 03:03:32 PM by mmccarn »

Offline bunkobugsy

  • *
  • 274
  • +4/-0
Re: Block spear phishing using spoofed email addresses
« Reply #5 on: October 16, 2020, 01:56:27 PM »
It's a tricky problem.

Absolutely :)
Problem is one can never fully trust the users.

Actually GeoIP does most of the blocking, also SMEOptimizer seems to catch quite a few
.DOC attachments containing viruses. Hope it just needs some more time to report.

Problem is they go through ClamAV undetected. Would SecuriteInfo payed 0-day help?

What seems to detect almost every .DOC virus is VirusTotal. If only they had a mail plugin
that checks realtime for signatures of selected attachments throttling down lookups to 4/min.

For now I managed to stop attack by creating 2 attachment patterns for these virused
.DOC files, possibly also blocking some valid .DOC and perhaps .XLS and .PPT files.

Could this a qpsmtpd plugin that could be used to block specific content/attachment types?

check_content_type            http://www.hjp.at/projekte/qpsmtpd/check_content_type/

This module parses a MIME message into its components and compares the content types of all parts with the contents of config/content_types. It returns OK, DENY or DECLINED on the first match, or DECLINED if there is no match.

Offline bunkobugsy

  • *
  • 274
  • +4/-0
Re: Block spear phishing using spoofed email addresses
« Reply #6 on: October 16, 2020, 02:04:20 PM »
If all or most of your spoofed emails follow the pattern you show, you could try to build a rule to find emails where 'From' contains two '@' signs, or where it contains '@domain.tld.*@'.

That was my hope, but some are spoofed like:  From: "Valid User" <rastine@lelevelio.vilnius.lm.lt>
Problem is not every mail client shows the real sender email address and users are sloppy.

I suspect the attack is conducted from a large world-wide botnet after years of profiling for spear phishing.
« Last Edit: October 16, 2020, 02:21:45 PM by bunkobugsy »

Offline bunkobugsy

  • *
  • 274
  • +4/-0
Re: Block spear phishing using spoofed email addresses
« Reply #7 on: October 19, 2020, 10:44:42 AM »
Another ideea is to blacklist every TLD from geoip badcountries list in WBL panel: ^.*@.*\.tld$
Just in case they are spamming from servers located in other countries (I've had a few cases).

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Block spear phishing using spoofed email addresses
« Reply #8 on: October 20, 2020, 10:29:09 AM »
Best idea of all is to can email ;-)

Can't wait for the day it is consigned to the same bin that Fax was..... !
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline bunkobugsy

  • *
  • 274
  • +4/-0
Re: Block spear phishing using spoofed email addresses
« Reply #9 on: October 20, 2020, 03:40:06 PM »
Till then:
www.securiteinfo.com/services/anti-spam-anti-virus/improve-detection-rate-of-zero-day-malwares-for-clamav.shtml?lg=en
ClamAV even with free securiteinfo bases barely ever cathes anything.
Currently on 1 week trial of 0day bases, pro account worth every penny :)
Tested another linux qmail antivirus, server became unresponsive.
« Last Edit: October 21, 2020, 01:11:32 AM by bunkobugsy »

Offline ReetP

  • *
  • 3,722
  • +5/-0
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline bunkobugsy

  • *
  • 274
  • +4/-0
Re: Block spear phishing using spoofed email addresses
« Reply #11 on: October 22, 2020, 10:28:02 PM »
I presume that isn't fixing your original spoofed email address issue?

No, it only fixes the problem they create, i.e. blocks .doc attachments with malware.
I sincerely think it's a must-have add-on for the otherwise almost useless clamav bases, endpoint AV can fail too. Anyone can try it free for a week when malware is slipping through. Another great thing is the free sanesecurity foxhole database.

SMEOptimizer has kicked in nicely banning few thousand mails per day, 80% still blocked by GeoIP.

Horde 5.2 also has a nice red warning box about phishing attempt when it detects links with differing href, too bad webmail isn't used much.

I still think a SA rule can be customized for spoofed from email addresses, just don't know how.
https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Plugin_FromNameSpoof.txt

https://www.roaringpenguin.com/wiki/index.php/Spoofed_Addresses
« Last Edit: October 22, 2020, 10:34:36 PM by bunkobugsy »

Offline Michail Pappas

  • *
  • 339
  • +1/-0
Re: Block spear phishing using spoofed email addresses
« Reply #12 on: October 26, 2020, 08:01:47 AM »
I was about to open a new thread for this issue, really glad I've found this one.

Searching around, I've stumbled into this 3-year old thread that tries to handle this problem by creating a custom SA rule. See:
https://mail-archives.apache.org/mod_mbox/spamassassin-users/201710.mbox/%3calpine.LNX.2.00.1710021204300.25845@athena.impsec.org%3e

So my question would be, how can one include the following rule in SME?
Code: [Select]
header  __FROM_QUOTES           From =~ /"/
header  __FROM_MAYBE_SPOOF      From:name =~ /\w@\w/
meta    __FROM_SPOOF            __FROM_MAYBE_SPOOF && !__FROM_QUOTES

Caveat emptor: this is untested! I'm more than happy to test this rule on my production box. Especially in the last week I've been receiving tons of malware for which my security product (and ClamAV of course on SME) is not detecting. And not only that, but all say "tier-1" AVs (Kaspersky, ESET, Bitdefender, Avira, Avast...)!

This is scaring me, first time I actually have to do something proactive on the mail server to at least put a halt to these forged emails and the only way to handle them will be via antispam and not AV.
« Last Edit: October 26, 2020, 09:12:27 AM by Michail Pappas »

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: Block spear phishing using spoofed email addresses
« Reply #13 on: October 26, 2020, 12:01:24 PM »
There's an existing spamassassin plugin named FromNameSpoof that includes a header test __PLUGIN_FROMNAME_EMAIL

Here are instructions from the Zimbra Wiki on enabling this plugin:
https://wiki.zimbra.com/wiki/FromName_Spoofing

And here are notes from contribs.org on creating cutom rule scores:
https://wiki.contribs.org/Email#Custom_Rule_Scores

Part of the zimbra instructions say you need to load the fromnamespoof plugin.  I *think* you would do that by editing /etc/mail/spamassassin/v342.pre directly, as that file does not appear to be templated - but I don't know for sure how the spamassassin config coordinates with qpsmtpd and spamd.

Otherwise, to directly answer your question - I *think* you'd add your custom code into 'local.cf' (see link above) along with your desired score.

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Block spear phishing using spoofed email addresses
« Reply #14 on: October 26, 2020, 03:47:43 PM »
Ahhh - this is NOT as easy as it at first seems.

I was just trying to hunt for where I added some custom templates for this. Answer is here:

/etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf

Here's a fragment I created when messing with Geoip2.

cat 82geoiprelay

Code: [Select]
# Mark GeoIP Relay Countries

ifplugin Mail::SpamAssassin::Plugin::RelayCountry

# We can add this header as RELAYCOUNTRY is a tag in RelayCountry.pm
add_header all Relay-Country _RELAYCOUNTRY_

# If we template properly we could use qpsmptd BadCountries here

header RELAYCOUNTRY_BAD X-Relay-Countries =~ /(CN|RU|UA|RO|VN|US)/
describe RELAYCOUNTRY_BAD Relayed through spammy country at some point
score RELAYCOUNTRY_BAD 1.5

header RELAYCOUNTRY_GOOD X-Relay-Countries =~ /^(DE|AT|CH|FR)/
describe RELAYCOUNTRY_GOOD First untrusted GW is DE, AT,CH or FR
score RELAYCOUNTRY_GOOD -0.5

endif # Mail::SpamAssassin::Plugin::RelayCountry

This adds a header to the mail like this:

Code: [Select]
X-Spam-Details: *  0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to
*      Blah blah
*      Blah blah
* -0.5 RELAYCOUNTRY_GOOD First untrusted GW is DE, AT,CH or FR <<<<<<<<< Here

Woohoo - we can do some rules or whatever to deal with this.

HOWEVER, for your solution you look like you will need:

Mail::SpamAssassin::Plugin::FromNameSpoof

See the CPan page for help on the format of the plugin.

And that looks like it first appeared in Spamassassin 3.4.2

The default on SME v9 is something like 3.3.x and on SME v10 it is 3.4.0 so that plugin won't be available.

I can see that it is in the test build of 3.4.2 that I built a year or two back and which is in the SME Dev repo. I have had it running for a few years and it hasn't broken yet...!

You can give it a whirl if you want.

Code: [Select]
yum --enablerepo=smedev install spamassassin
I'll look at v3.4.4 and at adding it to v10 - no point doing any work on v9 now.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Block spear phishing using spoofed email addresses
« Reply #15 on: October 26, 2020, 04:53:46 PM »
OK - so here is a basic outline. No idea how to test it - need some spoofed mails !

/etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf/84fromnamespoof
signal-event email-update

Check the logs in qpsmtpd and spamd

Code: [Select]
ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
header   __PLUGIN_FROMNAME_EMAIL  eval:check_fromname_contains_email()
Describe FROMNAME_EMAIL Does From name contain an email address
header   __PLUGIN_FROMNAME_DIFFERENT  eval:check_fromname_different()
Describe FROMNAME_DIFFERENT Is the From:name different to the From:addr header
header   __PLUGIN_FROMNAME_OWNERS_DIFFER  eval:check_fromname_owners_differ()
Describe FROMNAME_OWNERS_DIFFER From:name and From:addr owners differ
header   __PLUGIN_FROMNAME_DOMAIN_DIFFER  eval:check_fromname_domain_differ()
Describe FROMNAME_DOMAIN_DIFFER From:name domain differs to from header
header   __PLUGIN_FROMNAME_SPOOF  eval:check_fromname_spoof()
Describe FROMNAME_SPOOF From:name and From:address don't match and owners differ
header __PLUGIN_FROMNAME_EQUALS_TO  eval:check_fromname_equals_to()
Describe FROMNAME_EQUALS_TO From:name address matches To:address
dns_check 1
endif # Mail::SpamAssassin::Plugin::FromNameSpoof

Note the sample lines from the PM file

Code: [Select]
# Samples from the pm file

#header   __PLUGIN_FROMNAME_SPOOF eval:check_fromname_spoof()
#header   __PLUGIN_FROMNAME_EQUALS_TO eval:check_fromname_equals_to()

#meta     FROMNAME_SPOOF_EQUALS_TO  (__PLUGIN_FROMNAME_SPOOF && __PLUGIN_FROMNAME_EQUALS_TO)
#describe FROMNAME_SPOOF_EQUALS_TO From:name is spoof to look like To: address
#score    FROMNAME_SPOOF_EQUALS_TO 1.2

Be pleased if someone wants to try and test this with the 3.4.2 rpm in smedev and we could add this as an option in spamassassin.

Cpan info here:

https://metacpan.org/pod/Mail::SpamAssassin::Plugin::FromNameSpoof
« Last Edit: October 26, 2020, 04:57:23 PM by ReetP »
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline bunkobugsy

  • *
  • 274
  • +4/-0
Re: Block spear phishing using spoofed email addresses
« Reply #16 on: October 27, 2020, 09:27:35 AM »
I can see that it is in the test build of 3.4.2 that I built a year or two back and which is in the SME Dev repo.

On it since last year.

Could you advise about the content of /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf/84fromnamespoof

Thank you.

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Block spear phishing using spoofed email addresses
« Reply #17 on: October 27, 2020, 10:21:54 AM »
On it since last year.

Cool. Hope to have a 3.4.4 done soon.
Just figuring some build options.

Quote
Could you advise about the content of /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf/84fromnamespoof

All I know is written above.

Anything else you'll have to figure from the documentation or reading about.

I've done the hard work :lol: You need to do a bit yourself now.... !

Try using their sample code first as above.

Uncomment it and wrap it with the 'if' sections.

Email update, check local.cf for content, send/wait for spoof mail while watching logs.

Better if you can generate a spoof mail to test.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Block spear phishing using spoofed email addresses
« Reply #18 on: October 27, 2020, 11:13:41 AM »
On it since last year.

Just a thought but why did you not comment on this bug with your testing? The package could probably have been released to benefit others..... Just using it silently helps no one but yourself.

https://bugs.contribs.org/show_bug.cgi?id=10597

If you test things PLEASE let developers know.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline bunkobugsy

  • *
  • 274
  • +4/-0
Re: Block spear phishing using spoofed email addresses
« Reply #19 on: October 27, 2020, 12:18:40 PM »
I usually do: https://bugs.contribs.org/show_bug.cgi?id=10597#c13

Not really into SA, don't know how I ended up with it, Geoip2 seemed to work otherwise.

http://distro.ibiblio.org/smeserver/releases/9.2/smeupdates/x86_64/RPMS/spamassassin-3.4.2-2.el6.sme.x86_64.rpm      2019-Jan-20 17:27:30
« Last Edit: October 27, 2020, 12:52:26 PM by bunkobugsy »

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Block spear phishing using spoofed email addresses
« Reply #20 on: October 27, 2020, 02:45:14 PM »
http://distro.ibiblio.org/smeserver/releases/9.2/smeupdates/x86_64/RPMS/spamassassin-3.4.2-2.el6.sme.x86_64.rpm      2019-Jan-20 17:27:30

Ahhh - OK.

Sorry - it seems that someone released this and never closed out the bug :shock:

I thought it was still testing!
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline bunkobugsy

  • *
  • 274
  • +4/-0
Re: Block spear phishing using spoofed email addresses
« Reply #21 on: October 28, 2020, 11:12:41 PM »
Cool. Hope to have a 3.4.4 done soon.
Just figuring some build options.

Even 3.4.3 has a new plugin that could be useful (if it works):

# OLEVBMacro - Detects both OLE macros and VB code inside Office documents
#
# It tries to discern between safe and malicious code but due to the threat
# macros present to security, many places block these type of documents
# outright.
#
# For this plugin to work, Archive::Zip and IO::String modules are required.
# loadplugin Mail::SpamAssassin::Plugin::OLEVBMacro

To enable, uncomment the loadplugin configuration options in file v343.pre
« Last Edit: October 28, 2020, 11:16:19 PM by bunkobugsy »

Offline bunkobugsy

  • *
  • 274
  • +4/-0
Re: Block spear phishing using spoofed email addresses
« Reply #22 on: October 28, 2020, 11:57:50 PM »
So I uncommented relevant loadplugin line in /etc/mail/spamassassin/v342.pre

added to /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf/84fromnamespoof:

header __PLUGIN_FROMNAME_SPOOF eval:check_fromname_spoof()
describe FROMNAME_SPOOF From:name and From:address don't match and owners differ
score FROMNAME_SPOOF 1.2

ignored 'ifplugin' section and ran signal-event email-update
but nothing relevant is showing up in spamd log other than some T_FROMNAME_SPOOFED_EMAIL

Maybe because adding every TLD from geoip badcountries list to WBL panel blacklist  ^.*@.*\.tld$  really cut back on spam.
SMEOptimizer had to go for now, community blacklist was blocking a lot of legitimate mail.
« Last Edit: October 29, 2020, 12:06:41 AM by bunkobugsy »

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Block spear phishing using spoofed email addresses
« Reply #23 on: October 29, 2020, 12:09:34 AM »
Even 3.4.3 has a new plugin that could be useful (if it works):

Yeah - give me a bloody chance!!

On top of building and importing smeserver-smeadmin (was sme9admin but we've removed the number), smeserver-systemd-control (ripped from nethesis for control of systemctl), smeserver-wsdd (worked my Mr Fage to give you netBIOS type browsing on shares without SMB v1) I have also had to built and imported new version of DCC for Spamassassin, test built Spamassassin 3.4.4 to see if it will work on EL7, fix the smeserer-arpwatch import I buggered up for Brian, and then spent a lot of time with Terry trying to figure out if we can build plague on CentOS 8. Non trivial.

On top of that I have had to try and teach my companys web dev (a seriously smart woman) how to run some PHP apps that they really should be able to debug themselves, and try and do some other work to keep some food on the table.

If my wife (my boss) knew how much time I have given to SME today alone she would have a hissy fit.

Now, I am just a volunteer here. I am no great hacky person - just an amateur. And pretty well *everything* I can do I learned by getting involved and DOING something.

So, please, get involved and actually do something. Set up a build machine. Try building an rpm. Post your patch. Test some of the contribs that have been built - properly. If you can't, then read, and learn, ask us questions, and try. Make it happen - don't just leave a few pointers and wishes and hope that 'someone else' will fix it.

*I* can't really afford the time. But you have to find some and make it happen.

Sorry - long day, and my eyes are square.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Block spear phishing using spoofed email addresses
« Reply #24 on: October 29, 2020, 12:16:42 AM »
So I uncommented relevant loadplugin line in /etc/mail/spamassassin/v342.pre

Good catch - I missed that. Probably needs a template or something

That is important and needs going on a bug/NFR against Spamassassin with the other stuff here.

Quote
ignored 'ifplugin' section and ran signal-event email-update
but nothing relevant is showing up in spamd log other than some T_FROMNAME_SPOOFED_EMAIL

OK.

Quote
Maybe because adding every TLD from geoip badcountries list to WBL panel blacklist  ^.*@.*\.tld$  really cut back on spam.

When you test you HAVE to be methodical. So you added that and now have nothing much to test against :-(

Can you please remove that and see what happens?

Quote
SMEOptimizer had to go for now, community blacklist was blocking a lot of legitimate mail.

There is either a thread here or you can open a bug, but it should be reported.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline bunkobugsy

  • *
  • 274
  • +4/-0
Re: Block spear phishing using spoofed email addresses
« Reply #25 on: October 29, 2020, 12:30:08 AM »
Sorry, didn't mean to push anybody or demand anything.
Just added my findings.
I realy love SME 9.3, I think it's top notch and will run it for a (good) while.
I don't think I can be of any real use (with my level of understanding perl) other than testing.
Will try to test SME10 contribs. (was going to anyway)
« Last Edit: October 29, 2020, 12:36:12 AM by bunkobugsy »

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Block spear phishing using spoofed email addresses
« Reply #26 on: October 29, 2020, 12:44:28 AM »
Sorry, didn't mean to push anybody or demand anything.

I know - but when we read it, that's how it seems....

Quote
Just added my findings.

Indeed. They are good. Be methodical and document it properly. Add bugs. The more you do, the more you learn.

Quote
I realy love SME 9.3, I think it's top notch and will run it for a (good) while.

We all do. Yes, it'll run for decades. But support is being terminated by RHEL/CentOS. Any new issues will not be fixed. We have to move on (there are still quite a few v7 and v8 out machines still out there!!). Believe me, I am no lover of systemd..... !

Quote
I don't think I can be of any real use (with my level of understanding perl) other than testing. Will try to test SME10 contribs. (was going to anyway)

I think that you, along with many others, completely misjudge just how much you know, how much some of us know, and how much use you really can be. Yo do not have to be some perl guru - I'm not.

Seriously, we have a couple of absolutely top notch people. But a lot of us are not geniuses - quite a few of us are really just part time hacks!!! We do it for fun.

My skills are not that great. I can code a little - but I am no programmer. I can build & import rpms - but that is because I have bothered to ask questions and learn - not because I am some super cool hacker. I do it by a simple method, and I break lots of things too :-)

Go have a look at my old posts from years ago, and bugs. You will see what happened over the years. I am no smarter. Just a bit wiser.

So, don't put yourself down. Come and join in. None of us bite. We all like to learn and help each other. That way we all get better.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Michail Pappas

  • *
  • 339
  • +1/-0
Re: Block spear phishing using spoofed email addresses
« Reply #27 on: October 29, 2020, 09:55:49 AM »
@ReetP and @mmccarn: can't really thank you enough for your help! :)

I've got my hands full today, with any luck I'll install SA 3.4 tomorrow and try to include this check.

Offline bunkobugsy

  • *
  • 274
  • +4/-0
Re: Block spear phishing using spoofed email addresses
« Reply #28 on: October 30, 2020, 01:56:46 PM »
They just went to another level: virused .doc files are zipped and pwd protected, pwd in mail body.

So there's no need to uncomment loadplugin line in /etc/mail/spamassassin/v342.pre and
to create /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf/84fromnamespoof

It can be be done the documented way: https://wiki.contribs.org/Email#Custom_Rule_Scores
FromNameSpoof tests already defined in the regularly updated /var/lib/spamassassin/3.004002/updates_spamassassin_org/72_active.cf file with commented out scores.
A lot of rules are defined here but they score 0, so just by analyzing email and customizing scores spam can be deferred.

Just create /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf/20localscores:

loadplugin Mail::SpamAssassin::Plugin::FromNameSpoof
score T_FROMNAME_SPOOFED_EMAIL 1.3
score T_GB_FROMNAME_SPOOFED_EMAIL_IP 1.5

then   signal-event email-update

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Block spear phishing using spoofed email addresses
« Reply #29 on: October 30, 2020, 02:05:06 PM »
I'd like a bug against spamassassin in v10 but there is no package yet.

I'll try and get it done in the next few days.

Up to my neck in real life right now!!
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline bunkobugsy

  • *
  • 274
  • +4/-0
Re: Block spear phishing using spoofed email addresses
« Reply #30 on: October 30, 2020, 03:12:09 PM »
Just a heads-up for anyone trying FromNameSpoof, a patch is needed for SA 3.4.2:

"Not a HASH reference at /usr/share/perl/5.24.1/Mail/SpamAssassin/Plugin/FromNameSpoof.pm line 319"  just popped up in spamd log. So:

cd /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Plugin
cp -p FromNameSpoof.pm FromNameSpoof.pm~orig
wget -O FromNameSpoof.pm "https://svn.apache.org/viewvc/spamassassin/branches/3.4/lib/Mail/SpamAssassin/Plugin/FromNameSpoof.pm?revision=1842029&view=co&pathrev=1842029"

https://forum.directadmin.com/threads/not-a-hash-reference-at-fromnamespoof-pm-line-319.57128/
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7624

Offline bunkobugsy

  • *
  • 274
  • +4/-0
Re: Block spear phishing using spoofed email addresses
« Reply #31 on: October 30, 2020, 03:47:56 PM »
They just went to another level: virused .doc files are zipped and pwd protected, pwd in mail body.

config setprop clamav ArchiveBlockEncrypted yes
expand-template /etc/clamd.conf
sv t clamd

clamd log:   Archive: Blocking encrypted archives.

Offline bunkobugsy

  • *
  • 274
  • +4/-0
Re: Block spear phishing using spoofed email addresses
« Reply #32 on: October 30, 2020, 11:34:21 PM »
This will block .doc, .xls (but not .docx, .xlsx) containing ANY macros (including benevolent ones):

create /etc/e-smith/templates-custom/etc/clamd.conf/OLE2BlockMacros containing:
OLE2BlockMacros yes

then run:
expand-template /etc/clamd.conf
sv t clamd

Clamd log should show: OLE2: Blocking all VBA macros. and Heuristics.OLE2.ContainsMacros FOUND